–This moduleexploits a parsing flawin the pathcanonicalization code of NetAPI32.dll through theServer Service. This module is capable of bypassingNX on some operating systems and service packs. Thecorrect target must be used to prevent the ServerService (along with a dozen others in the sameprocess) from crashing. Windows XP targets seem tohandle multiple successful exploitation events, but2003 targets will often crash or hang on subsequentattempts. This is just the first version of this module,full support for NX bypass on 2003, along with otherplatforms, is still in development.

–light-weight telnet-replacement that lets you executeprocesses on other systems

–This module uses a valid administrator username andpassword (or password hash) to execute an arbitrarypayload. This module is similar to the "psexec" utilityprovided bySysInternals. This module is now able toclean up after itself. The service created by this tooluses a randomly chosen name and description.

–This one has more, list ‘em

The University of Massachusetts Lowell

91.661 Project-

21

5/4/2011

The Exploit (3)

•ms05_039_pnp

–Vulnerability in Plug and Play Could Allow RemoteCode Execution and Elevation of Privilege

–This module exploits a stack buffer overflow in theWindows Plug and Play service. This vulnerability canbe exploited on Windows 2000 without a valid useraccount. NOTE: Since the PnP service runs inside theservice.exe

process, a failed exploit attempt will causethe system to automatically reboot.